locked
CryptographicKey.ExportPublicKey into a non encrypted PEM file RRS feed

  • Question

  • Well, after many hours of banging my head against the monitor, this is my last "bump" into this journey.

    I need to sign some data in a windows store app, but said data has to be validated by another company.

    I've resorted to create the key pair inside the app and store it, for continuous use, but I need to extract the public key into a PEM format.

    Right now I'm trying this:

    CryptographicBuffer.EncodeToBase64String(keyPair.ExportPublicKey(CryptographicPublicKeyBlobType.Pkcs1RsaPublicKey));

    But even after adding the BEGIN and END lines requird by the PEM format, I can't seem to verify the signature as the key isn't valid.

    I've read that they keys are exported in a encrypted form, so how can I get the public key in a way I can use it or convert it to the format I need?

    Monday, December 16, 2013 1:18 PM

Answers

  • They don't need to verify the private key.

    They will only get the public key so they can verify the signature and confirm the data hasn't been tampered with.

    Anyway, I went another way and got what I needed working.

    Marking as closed.

    EDIT

    Adding some info for anyone who face the same issue. 

    I got around it by:

     - Creating private and public keys using openssl, with the specifications i needed.

     - Using the RSACryptoServiceProviderExtension sample from the awsome Christian Etter, wrote a small console app that would load the PEM Private Key, and export a CspBlob from said key, setting the parameter includePrivateParameters as 'true'.

    (Blob was exported as a string using Convert.ToBase64String method.)

     - On the WinRT app, use said blob, converted back to a byte array, to create the key pair, like this:

    keyPair = Algorithm.ImportKeyPair(privKeyBlob.AsBuffer(), CryptographicPrivateKeyBlobType.Capi1PrivateKey);

    It's a bit of a workaround, but it works.



    Tuesday, December 17, 2013 9:49 AM

All replies

  • Hi Nuno,

    If you're creating a public/private key pair in the app, how can the other company properly verify that the private key comes from the app.  Any app can then generate a key and sign some data and send it to the company.  That is why a private key should be associated with a certificate and have the chain of trust lead to a trusted CA that can vouch for the validity of the subject.

    Thanks


    Carlos Lopez - Microsoft Escalation Engineer

    Tuesday, December 17, 2013 12:57 AM
    Moderator
  • They don't need to verify the private key.

    They will only get the public key so they can verify the signature and confirm the data hasn't been tampered with.

    Anyway, I went another way and got what I needed working.

    Marking as closed.

    EDIT

    Adding some info for anyone who face the same issue. 

    I got around it by:

     - Creating private and public keys using openssl, with the specifications i needed.

     - Using the RSACryptoServiceProviderExtension sample from the awsome Christian Etter, wrote a small console app that would load the PEM Private Key, and export a CspBlob from said key, setting the parameter includePrivateParameters as 'true'.

    (Blob was exported as a string using Convert.ToBase64String method.)

     - On the WinRT app, use said blob, converted back to a byte array, to create the key pair, like this:

    keyPair = Algorithm.ImportKeyPair(privKeyBlob.AsBuffer(), CryptographicPrivateKeyBlobType.Capi1PrivateKey);

    It's a bit of a workaround, but it works.



    Tuesday, December 17, 2013 9:49 AM